09-28-2016 03:23 AM - edited 03-11-2019 12:06 AM
I implement ISE v1.4 on our network we use 'Compus Design', We have one subnet for all switches '192.168.40.0/24' as SVI for management, and we have many VLANs for end-users, Web Redirection does not work on any of this VLANs, It work only when I but end-user with same subnet of management VLAN. what can I do resolve this issue.
should I create SVIs for all end-users VLANs?.
Best Regard
Solved! Go to Solution.
10-03-2016 07:18 AM
Mohammed,
Does your management subnet have a route and is allowed access to the subnets where your users and devices reside? This is required when doing wired ISE URL redirect as the redirect comes from the switch's management SVI and is sent to the client device IP (which it knows by virtue of ip device tracking).
I had a similar problem where the customer's management network was firewalled away from user VLANs. Once we opened the necessary access-list entry, redirects were received and started working.
No additional SVI is required. (Although having an SVI in the user VLAN also fixes the problem - but it's not the "proper" solution architecturally.)
10-03-2016 10:28 AM
The origin IP of the URL redirect is the local switch's management SVI. It will need to communicate with the end host IP addresses on tcp/80 (http) and tcp/443 (https).
You didn't include it above, but be sure that your switch has:
ip http server
ip http secure-server
...enabled. Those are required for the switch to be able to do the URL redirect.
If your're concerned about enabling those services increasing the attack surface of the switches' management plane, you can restrict that via the following (the ports will still be open but the switch will not accept any sessions on them):
ip http secure-active-session-modules none
ip http active-session-modules none
10-02-2016 06:45 PM
Hi there, I have a couple of questions:
1. Who is doing the routing for those end user VLANs? (Where is their default gateway)?
2. Can you post your RADIUS and dot1x related configs?
Thank you for rating helpful posts!
10-03-2016 07:18 AM
Dear Eng. Neno:
Thank you for support, Firstly I want explain you the big picture:
End-user<----> (Access_SW also act as Distribution_SW ) <-----> (Core_SW)<--->(Core_SW)<--->(Access_SW)<---> ISE Server. |
Communication done between NAC agent and ISE 'Authentication Authorization Accounting', Just Web-redirect does not work with clients on any VLANs only when I put client into Management VLAN.
I tested with add another SVI for specific VLAN and Web-redirect working. From that I suppose it I need SVI for every VLANs?,
I have a lot of VLANs should I create SVI for all VLANs???
1. We use OSPF on Core Switch for all VLANs routing.(there not any routing Access SW, Just they're one SVI 192.168.40.11 for VLAN Manage and default route '0.0.0.0 0.0.0.0 192.168.40.1'.)
2.
aaa new-model aaa server radius dynamic-author |
10-03-2016 07:18 AM
Mohammed,
Does your management subnet have a route and is allowed access to the subnets where your users and devices reside? This is required when doing wired ISE URL redirect as the redirect comes from the switch's management SVI and is sent to the client device IP (which it knows by virtue of ip device tracking).
I had a similar problem where the customer's management network was firewalled away from user VLANs. Once we opened the necessary access-list entry, redirects were received and started working.
No additional SVI is required. (Although having an SVI in the user VLAN also fixes the problem - but it's not the "proper" solution architecturally.)
10-03-2016 09:40 AM
Dear Eng. Rhoads:
I hope you well, Yes I think the problem from firewall. That mean management IP its involving in redirect process. But what port should be open it on firewall ? .
10-03-2016 10:28 AM
The origin IP of the URL redirect is the local switch's management SVI. It will need to communicate with the end host IP addresses on tcp/80 (http) and tcp/443 (https).
You didn't include it above, but be sure that your switch has:
ip http server
ip http secure-server
...enabled. Those are required for the switch to be able to do the URL redirect.
If your're concerned about enabling those services increasing the attack surface of the switches' management plane, you can restrict that via the following (the ports will still be open but the switch will not accept any sessions on them):
ip http secure-active-session-modules none
ip http active-session-modules none
10-03-2016 10:38 AM
Thank Marvin
do you mean the vlan management and vlan client have a route between them , that mean must I route all my vlans to mangement subnet .
what the necessary access-list entry you opened on your firewall.
10-03-2016 10:54 AM
No you do not need to route all your VLANs to management subnet.
The URL redirect traffic will originate from the switches' management SVIs (assuming that is the only IP address on a typical campus access switch). Those switches have a default gateway or default route on some upstream device. Depending on your design, that could be a distribution switch, a core switch a firewall etc.
Whatever it is, it must have in its routing table a way that will reach the end hosts' subnets. Any security enforcement device in the path must allow that traffic.
In the simplest scenario it would be a core switch with an interface ACL on the management subnet. I have seen that, I have seen it be a firewall (Cisco ASA or other) and I have seen the separation be via use of VRF in the core.
The ACL would be something like:
ip access-list extended <acl name>
permit tcp <management subnet> <mask> any eq www
permit tcp <management subnet> <mask> any eq 443
...for a switch.
If the device is an ASA firewall it would be something like:
access-list <acl name> permit tcp <management subnet> <mask> any eq www
access-list <acl name> permit tcp <management subnet> <mask> any eq 443
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide